how does your agency improve its cybersecurity … · cybersecurity is a shared mission across all...
TRANSCRIPT
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
IMPLEMENTING THE NECP WEBINARS
HOW DOES YOUR AGENCY IMPROVE ITS
CYBERSECURITY POSTURE? IMPLEMENT THE NIST
CYBERSECURITY FRAMEWORK
JULY 2020
1
C Y B E R S E C U R I T Y &
I N F R A S T R U C T U R E
S E C U R I T Y A G E N C Y
Agenda
CISA is an operational agency within
the Department of Homeland Security
(DHS) that serves as the nation’s
infrastructure risk advisors
▪ Webinar Overview and Objectives
▪ National Emergency Communications Plan (NECP)
and SAFECOM Nationwide Survey (SNS):
Cybersecurity
▪ National Institute of Standards and Technology (NIST)
Cybersecurity Framework
▪ Resources and Actions
▪ Question and Answer Session
2
3
Webinar Objectives
▪ Discuss the impact of cybersecurity on
emergency communications
▪ Use the NECP to learn practical solutions to
enhance cybersecurity risk management
practices
▪ Gain an understanding of how to implement
the NIST Cybersecurity Framework to
mitigate cyber risk
▪ Provide links to CISA Central and other
CISA resources you can use to mitigate
cyber risk
C Y B E R S E C U R I T Y &
I N F R A S T R U C T U R E
S E C U R I T Y A G E N C Y
Presenters
Katharine Willers
Emergency Communications
Cybersecurity and Infrastructure Security Agency
Amy Mahn
Applied Cybersecurity Division
National Institute of Standards and Technology
4
National Emergency Communications Plan
5
CISA is an operational agency within
the Department of Homeland Security
(DHS) that serves as the nation’s
infrastructure risk advisors
5
NECP Goals
Goal 1: Governance and Leadership
Develop and maintain effective emergency communications
governance and leadership across the Emergency
Communications Ecosystem
Goal 2: Planning and Procedures
Develop and update comprehensive emergency
communications plans and procedures that address the
evolution of risks, capabilities, and technologies across the
Emergency Communications Ecosystem
Goal 3: Training, Exercises, and Evaluation
Develop and deliver training, exercise, and evaluation
programs that enhance knowledge and target gaps in all
available emergency communications technologies
Goal 4: Communications CoordinationImprove effective coordination of available operable and
interoperable public safety communications capabilities
for incidents and planned events
Goal 5: Technology and Infrastructure
Improve lifecycle management of the systems and
equipment that enable emergency responders and public
safety officials to share information efficiently and
securely
Goal 6: Cybersecurity
Strengthen the cybersecurity posture of the Emergency
Communications Ecosystem
NECP Vision: To enable the Nation’s emergency response community to communicate and share information securely across
communications technologies in real time, including all levels of government, jurisdictions, disciplines, organizations, and citizens
impacted by any threats or hazards event
6
Cybersecurity Overview
▪ Cybersecurity is a shared mission across all levels
of government, the private sector,
nongovernmental organizations, and the public
▪ Cyber threats are now more complex and
sophisticated and have become one of public
safety’s greatest operational risks
▪ The number of incidents is on the rise with
significant consequences on emergency
communications systems
▪ The SNS found that 37% of public safety
organizations have been impacted by a
cybersecurity disruption
Public Safety Cyber Incidents
• Madison, Wisconsin Distributed Denial-of-
Service Attack - the city’s internet-connected
emergency communications system was
crippled which impeded emergency
responders’ ability to connect to the 9-1-1
Center and slowed down the system used to
automatically dispatch responders to
emergencies.
• Texas Ransomware Attack– more than 20
entities (mostly small, rural local
governments) were hit with a ransomware
attack; the victims were able to recognize the
incident as ransomware and self-reported the
attacks, resulting in a successful coordinated
state and federal response
7
SAFECOM Nationwide Survey
8
▪ The 2018 SNS was a data collection
initiative that supported the content and
recommendations of the NECP
▪ The SNS consisted of 38 questions that
span the 5 elements of the SAFECOM
Interoperability Continuum, plus a security
element that accounted for cybersecurity
▪ Findings from the SNS gauge the status of
the Nation’s emergency communications
capabilities and helped inform the NECP’s
goals, objectives, and success indicators
8
SNS: Cybersecurity Planning
Elements that Organizations Incorporate into Cybersecurity Planning
▪ 46% of organizations do not incorporate the listed cybersecurity measures into their
cybersecurity planning
▪ 62% of fire departments indicated that they do not conduct any cybersecurity planning
▪ Almost 60% of public safety disciplines located in rural areas do not participate in
cybersecurity planning
Disciplines
Cybersecurity Planning
None of the Above
Geographies
Cybersecurity Planning
None of the Above
9
SNS: Cybersecurity Funding
Funding for Cybersecurity▪ Over 55% of organizations
indicated that they don’t have
funding for cybersecurity
capital investments
or operating and maintenance
costs
▪ Additionally, 26% of
organizations indicated that
their cybersecurity funding is
insufficient to meet their needs
10
SNS: Cybersecurity Additional Insights
30%
18%
10%
8%
5%
4%
3%
2%
CRIMINAL JUSTICE INFORMATION SERVICES (CJIS) GUIDANCE
COMMUNICATIONS SECURITY, RELIABILITY, AND INTEROPERABILITY COUNCIL'S (CSRIC) …
DHS COMMUNICATIONS SECTOR-SPECIFIC PLAN (CSSP)
EMERGENCY SERVICES SECTOR ROADMAP TO SECURE VOICE AND DATA SYSTEMS
INFORMATION SHARING AND ANALYSIS CENTERS (ISAC)
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST) CYBERSECURITY …
INFORMATION SHARING AND ANALYSIS ORGANIZATIONS (ISAO)
NATIONAL CYBER INCIDENT RESPONSE PLAN (NCIRP)
Topics Included in SOPs Topics Included in Emergency Communications
Training
▪ Organizations reported that cybersecurity is not prioritized as a topic for Standard Operating
Procedures (SOPs) and is not included in Training and Exercise topics
67%
59%
47%
20%
18%
18%
16%
15%
9%
LAND MOBILE RADIO (LMR)
ALERTS, WARNINGS, ANDNOTIFICATIONS
SOCIAL MEDIA
NEXT GENERATION 911 (NG911)
PRIORITY SERVICES
BROADBAND
CYBERSECURITY
PROJECT 25 ENCRYPTION
NONE OF THE ABOVE
85%
78%
66%
64%
28%
24%
21%
15%
9%
7%
2%
NATIONAL INCIDENT MANAGEMENT …
RADIO ETIQUETTE AND TERMINOLOGY
COMMONLY USED FREQUENCIES
EQUIPMENT TRAINING/REFRESHER
INTEROPERABILITY PLANS AND …
SOFTWARE TRAINING/REFRESHER
BACKUP SYSTEMS
COMMUNICATIONS UNIT (COMU)
CYBERSECURITY
NATIONAL INTEROPERABILITY FIELD …
NONE OF THE ABOVE
Cybersecurity Guidelines and Standards Influencing SOPs
11
NECP Success Indicators: Cybersecurity
▪ Implement the National Institute of Standards and
Technology (NIST) Cybersecurity Framework[1]
▪ Perform a Cyber Resilience Review
▪ Include cybersecurity representatives in governance
bodies
▪ Educate public safety agencies on cybersecurity risk
mitigation
▪ Update training and exercise programs to address
cybersecurity
▪ Develop and maintain a cyber incident response plan in coordination with the
Statewide Interoperability Coordinator and information technology administrators
Percentage of Public Safety Organizations Whose
Communications Have Been Impacted by
Cybersecurity Breaches at Some Point in the Last
5 Years
12
NIST Cybersecurity FrameworkJuly 2020
Cybersecurity and the Economy
As technology becomes further integrated into consumers
lives ensuring that trust becomes more critical, and
solutions need to be market-based to scale.
Without trust in the underlying technology,
Consumers will be reluctant
to adopt new applications
Industry will be reluctant to
invest in new infrastructure
Innovators will be reluctant to
offer new ideas
Security is about trust: can technology be used for its
desired purpose without undue risk?
14
Cybersecurity at NIST
• Role in cybersecurity began in 1972 with the development of the Data Encryption Standard
• Using widely-accepted standards helps create competitive markets around market need through combinations of price, quality, performance, and value to consumers.
• Ensure timely availability of standards, and associated testing,;
• Achieve cost-efficient, timely and effective solutions to legitimate regulatory, procurement and policy objectives;
• Promote standards and standardization systems that enable innovation and foster US competitiveness; and
• Facilitate international trade and avoid the creation of unnecessary obstacles to trade.
15
Cybersecurity Framework History
• February 2013 - Executive Order 13636: Improving
Critical Infrastructure Cybersecurity
• February 2014 – Version 1.0 of the Cybersecurity
Framework released
• December 2014 - Cybersecurity Enhancement Act of
2014 (P.L. 113-274)
• May 2017 - Executive Order 13800: Strengthening the
Cybersecurity of Federal Networks and Critical
Infrastructure
• April 2018 – Version 1.1 of the Cybersecurity Framework released 16
Cybersecurity Framework StructuresThe Core provides an increasingly granular set of activities
and outcomes that enable an organizational dialogue
about managing privacy or cybersecurity risk, based on
international standards
Profiles are a selection of specific
Functions, Categories, and Subcategories
from the Core that the organization has
prioritized to help it manage cybersecurity
risk
CURRENT
TARGET
Implementation Tiers help an organization communicate
about whether it has sufficient processes and resources in
place to manage cybersecurity risk and achieve its Target
Profile 17
Key Framework AttributesPrinciples of Current and Future Versions of the Framework
• Common and accessible language
• It’s adaptable to many technologies,
lifecycle phases, sectors and uses
• It’s risk-based
• It’s based on standards
• It’s a living document
• Guided by many perspectives – private
sector, academia, public sector
18
An Excerpt from the Framework Core
5 Functions 23 Categories 108 Subcategories 6 Informative
References
19
Sample Resourceswww.nist.gov/cyberframework/framework-resources
Financial Services ProfileFinancial Services Sector Specific Cybersecurity “Profile”
Manufacturing ProfileNIST Discrete Manufacturing
Cybersecurity Framework Profile
Maritime ProfileBulk Liquid Transport Profile
20
International UseSome Translations and Adaptations World-Wide
21
Resources
Website
• https://nist.gov/cyberframework
Contact
Stay Up to Date
• @NISTcyber
22
Additional Resources
23
▪ CISA Central
▪ CISA Cyber Resource Hub and CISA Alerts & Tips
▪ SAFECOM Nationwide Survey Results
▪ National Emergency Communications Plan
▪ NIST Cybersecurity Framework (NIST and CISA resources)
▪ DHS Cybersecurity Services Catalog for State, Local, Tribal, and Territorial
Governments [Note: Change to Tools Fact Sheet if published by then]
▪ SAFECOM and National Council of Statewide Interoperability Coordinators Resources
▪ Emergency Communications Technical Assistance and Planning Guide
▪
▪ Take steps for your organization or
jurisdiction to implement the NECP and
achieve its success indicators
▪ Implement the NIST Cybersecurity
Framework
▪ Download the CRR Self-
Assessment Package or contact
the CISA Cybersecurity Advisor to schedule
an on-site visit to your organization
How You Can Take Action
24
How You
25
Questions?
Upcoming Webinars
26